Skip to main content

 

 

Venafi Platform 20.3: What’s New  

 
The Venafi Platform has been updated to version 20.3.  
 
The 20.3 release includes new and enhanced capabilities to help Venafi customers manage machine identities, including support for more machine identity types and where those machine identities are needed, increased security for those machine identities, and automation of their life cycles.   
 
This release also sees the introduction of several new and updated product names, including TLS Protect, CodeSign Protect and Endpoint Protect. These names, as well as SSH Protect, are intended to make it easier for customers using multiple Venafi products to identify where Venafi capabilities fit in protecting multiple machine identities.   
 
Highlights from the Venafi 20.3 release are listed below. More details are available in the technical release notes and upgrade considerations article online.  
 
Venafi will host a live webinar on December 15, 2020 to discuss updates in the 20.3 and 20.4 releases. Registration is now open.  

 

Trust Protection Platform Updates  

 
1.    SAML (Modern SSO) Integration for UI Authentication 

 
What Problem Does It Solve?  
Venafi customers want the Venafi Platform to integrate with their single sign-on (SSO) solution, so that Venafi is included in their central solution for controlling authentication to enterprise applications and services and makes it easier for all users to find and access the Venafi Platform.  
 
How Does it Work?  
In the 20.3 release, the Venafi Platform supports the SAML 2.0 standard. Venafi customer using SSO solutions like Microsoft Azure Active Directory SSO, Okta, and Ping Identity Solutions that support SAML 2.0 can now integrate Venafi with these solutions.  
 
What’s the Benefit?  
Security – Integrating with modern SSO solutions makes it easy for Venafi customers to take advantage of the benefits of SSO solutions. SSO solutions makes it easy for users to access applications and easily and securely, such as allowing for high authentication security standards such as multi-factor auth and easily controlling user access to systems and applications, especially during onboarding and offboarding.  

 
2.    Team Onboarding Enhancements  

 
What Problem Does It Solve?  
Many Venafi customers have hundreds or thousands of teams that could benefit from using the Venafi Platform to protect machine identities. However, many have not fully onboarded them because of challenges in the onboarding process. Venafi has been making improvements to the onboarding experience in previous releases and will continue to do so in the future.  
 
How Does it Work?  
Team onboarding enhancements in the 20.3 release are focused on making it easier for a Venafi administrator or team owner to remove a team member from an existing team. Team owner or Venafi administrators can also change the name of a team. When a team name is changed, all the assets related to the team are updated to reflect the new team name.  
 
What’s the Benefit?  
Efficiency – Team owners have more control over team members and teams without needing to be or contact a Venafi administrator.  

 
3.    Answer File Wizard  

 
What Problem Does It Solve? 
Support for XML answer files for Venafi Configuration Console (VCC) was introduced in the 18.1 release. However, it was difficult to create or maintain the answer files, especially encrypted ones, for the purpose of automation.  
 
How Does it Work?  
Inside VCC, there is a new option for “Answer File Wizard” that runs through the setup wizard. You have the option of loading an existing answer file and disabling input validation so that you can create/update an answer file for your production environment from a lower, non-production environment.  
 
There are also improvements to VCC Command Line Interface to encrypt/decrypt answer files and to import/export your default software encryption key.  
 
What’s the Benefit?  
Automation – As more organizations are automating their infrastructure through DevOps processes, these answer file improvements and command line switches simplify the automated deployment and upgrade of the Venafi Platform.  

 

4.    User Interface Enhancements 

 

What Problem Does It Solve?  

The Venafi Platform interface must be fast, responsive, and intuitive, especially for customers managing multiple machine identity types.  
 
How Does it Work?  

There are several enhancements in 20.3 that improve performance of the Venafi Platform user interface and make it easier to navigate between products. For example, the Endpoint Protect product is now visible in the product switcher and Venafi administrators who may have noticed the Venafi console loading slower when performing tasks in WebAdmin, will see performance improvements in the 20.3 release.  
 
What’s the Benefit?  

Ease-of-Use – Adding to progress from recent releases, it continues to be faster and easier to access capabilities and move between products and the Venafi Platform.  

 

5.  Health and Performance Statistics 

 

What problem does it solve? 

As more organizations include the Venafi Trust Protection Platform in build pipelines and count Venafi as critical infrastructure, understanding the health, performance, and throughput of the platform can help identify trends and address issues before problems arise. 
 
How it works? 

In 2019, a “statistics” feature (an MMC snap-in) and collection of WebSDK endpoints were introduced so Venafi customers would view the telemetry that the Venafi Platform collects on itself. In the 20.3 release, dozens of new counters are available to provide information on the health of the Venafi Windows servers, SQL database servers, and the inner workings of Venafi processes and threads. 
 
What’s the Benefit? 

Intelligence – This insight gives Venafi customers the data they need to make sure the Venafi Platform is running optimally. 

Additional Trust Protection Platform Capabilities – See the technical release notes and upgrade considerations article for more detail on these capabilities as well as other new Venafi Platform features.  

 

TLS Protect Updates  

 
1.    New Default Renewal Window Period for Entrust and DigiCert CA Drivers  

 
What Problem Does It Solve?  

Effective September 1, 2020, browser vendors (Mozilla, Google, and Apple) no longer trust any newly issued certificates from public Certificate Authorities (CAs) with a validity lifespan of longer than 398 days. When requesting new and renewing certificates with public CAs, Venafi customers need to adhere to this new lifespan.  
 
How Does it Work?  

The renewal window is the number of days before expiration that Venafi will notify you to begin the renewal process. The default renewal window for Entrust and DigiCert CA drivers is reduced to 32 days.  
 
What’s the Benefit?  

Avoid Outages – The shorter default renewal window helps Venafi customers ensure they are renewing certificates for the 398-day lifespan supported by the browser vendors and not renewing for longer than that, which would make the certificate invalid and could result in a certificate-based outage.   

 

2.    Trust Store Application Driver for IBM DataPower  

 
What Problem Does It Solve?  

Applications rely on OS trust stores to determine what issuers to trust and not to trust. In some cases, certificates rely on OS level trust stores, while others may have specific trust stores for their application or use case. Before the 20.3 release, it was not possible to manage the trust stores for IBM DataPower use cases.  
 
How Does it Work?  

20.3 includes a new Trust Store application driver in WebAdmin that allows provisioning of bundled certificates to the Crypto Validation Credential in IBM DataPower.  
 
What’s the Benefit?  

Automation – For certificate trust validation use cases that rely on IBM DataPower, Venafi customers can now leverage global allow/reject rules for root certificates as well as design trust bundles for specific DataPower use cases.  

 

3.    DigiCert CA Driver Enhancement  

 
What Problem Does It Solve?  

DigiCert has consolidated older products into newer ones to make CA enrollment easier for their customers. Venafi customers need TLS Protect to work with these newer products.  
 
How Does it Work?  

In the 20.3 release, Venafi has validated that the DigiCert CA driver continues to operate effectively for all new DigiCert TLS products.  
 
What’s the Benefit?  

Manageability – Customers can lower the number of DigiCert CA templates by taking advantage of consolidated DigiCert certificate products.  

 

4.    Citrix NetScaler Gateway Virtual Server Support  

 
What Problem Does It Solve?  

Citrix Gateway Virtual Server is a network solution that delivers applications to any device, useful for organizations with remote employees who need access to applications and data from anywhere. Ensuring secure communications and services on these gateways requires TLS certificates that need to be proactively managed.  
 
How Does it Work?  

With the 20.3 release, Venafi customers can use Citrix NetScaler Onboard Discovery to discover certificates associated with Gateway Virtual Servers and enable provisioning of certificates to these devices.  
 
What’s the Benefit?  

Manageability – Greater visibility and intelligence into certificates on Gateway Virtual Server and the ability to automate the lifecycle of those certificates.  

Additional TLS Protect Capabilities – See the technical release notes and upgrade considerations article for more detail on these capabilities as well as other new TLS Protect features.  

 

SSH Protect  

 
ANNOUNCEMENT  
CyberArk and Venafi have teamed up to offer an integrated solution for enterprise-wide governance and risk reduction by enabling easy and robust management of SSH keys. The interactive, two-way integration with Venafi’s SSH Protect solution is designed to provide higher levels of automation for system administrators, better visibility for InfoSec teams, and results in fast, successful audits for GRC teams.  


 
1.   Consolidated SSH Key Visibility and Increased Management   

 
What Problem Does It Solve?  

Previously, admins were unable to track where SSH keys were being used or ensure they were being checked out from the CyberArk Vault.  


 
How Does it Work?  

When CyberArk receives the Private key, Venafi removes the keys from the host so CyberArk is required for SSH connections.  


 
What’s the Benefit?  

Increased security – Client SSH keys discovered by Venafi can now be removed from the host system and stored in CyberArk vault. This forces admins to check out their SSH keys prior to use and allows their corresponding session to be monitored.  

 
2.   Automated Onboarding SSH User Keys into CyberArk   

 
What Problem Does It Solve?  

Previously, SSH user identities and machine identities were managed separately, leaving keys less secure.  


 
How Does it Work?  

Admins are required to utilize CyberArk as their gateway for private keys.  


 
What’s the Benefit? 

 Increased security – Makes on-boarding SSH user identities for applications more secure by using CyberArk to check out private keys for admins, while Venafi manages the machine identities and their overall lifecycles.  

 
3.   Session Based Monitoring   

 
What Problem Does It Solve?  

Allows admins to monitor sessions and know when they are closed – previously, sessions were not being monitored, leaving admins in the dark as to the activities of the users.  


 
How Does it Work?  

CyberArk’s tools Privileged Session Manager (PSM) and Privileged Session Manager Proxy (PSMP) have the ability to monitor connections.  


 
What’s the Benefit?  

More comprehensive key management – SSH sessions can now be monitored and proactively secured.  

Additional SSH Protect Capabilities – See the technical release notes and upgrade considerations article for more detail on these capabilities as well as other new SSH Protect features.  

 

CodeSign Protect  

 
1.    Apple Native Signing for MacOS and iOS  

 
What Problem Does It Solve?  

Customers developing native MacOS and iOS applications need to use native Apple tools to sign their code so those applications can be distributed in the Apple App stores and installed on their user’s devices. Prior to this release, Venafi CodeSign Protect could not be used to manage the code signing process using native Apple code signing tools.  


 
How Does it Work?  

Venafi CodeSign Protect uses the Apple CryptoTokenKit to enable Apple CodeSign and Xcode to sign code with certificates and keys managed by the Venafi Trust Protection Platform.  


 
What’s the Benefit?  
Increased automation & security – Users of Apple CodeSign and Xcode can now secure their code signing process, automate certificate lifecycle management, secure their code signing keys by using Venafi CodeSign Protect while at the same time have the convenience of continuing to use the code signing utilities provided by Apple. InfoSec organizations and auditors now have complete visibility into all Apple code signing operations, key usage, and traceability that occur within the enterprise. Code signing policy enforcement for Apple signing can now be automatically enforced.  
 

2.    Timestamping Service  

 
What Problem Does It Solve?  
Software developers need to timestamp their applications when they code sign them, which required a timestamping server. Even though external timestamping services are available for use they often are not suitable for access by automated build systems. In addition, if a timestamping service is not available, the automated build operation can be halted and prevent software from being released. Companies also face another problem around visibility into what software has been timestamped.  
 
How Does it Work?  

Venafi has implemented a timestamping service within CodeSign Protect. It works as follows:  

  • CodeSign Protect proxies customer timestamping requests to pre-configured external/public timestamping services. Customers can pre-configure a list of public timestamping end points such as DigiCert and GlobalSign in CodeSign Protect and point their clients and build systems to the Venafi Platform for timestamping requests. 
  • CodeSign Protect acts as an internal timestamping CA service for internally signed/validated software. 

 
What’s the Benefit?  

Increased security – By pointing internal users of code signing to CodeSign Protect instead of an external timestamp server, companies benefit from increased security and traceability that comes from ensuring developers use only CodeSign Protect, instead of directly accessing a public timestamping service. This also provides flexibility, in that security administrators can decide when an external timestamp should be used and when it is acceptable to use an internal timestamping service. Furthermore, CodeSign Protect will now have an audit record and statistics of all timestamping events for all code signing operations.  
 
Increased performance – By leveraging CodeSign Protect’s internal timestamping service for internally signed code, companies avoid hitting usage limits of external timestamping services. This is especially important in DevOps pipelines where code may be signed thousands of times a day.  

 

3.    Pre-approvals user interface  

 
What Problem Does It Solve?  
In situations like DevOps, where automated build systems are responsible for code signing software, waiting for an approval for use of a code signing certificate can interrupt the completion of the build automation. A common method to avoid this is to eliminate any controls around the use of the code signing key, which carries significant security risks for misuse of that key. 

 
 
How Does it Work?  
This new feature supplements prior workflow approval choices by offering the ability for an approver to conditionally pre-approve the use of a code signing key. As part of the pre-approval, they can specify the number of times it can be used, the build machine that is authorized to use it, the period of time the pre-approval is good for, and other parameters that help ensure the key is only used for an appropriate reason.  


 
What’s the Benefit?  
Increased performance without sacrificing security – automated build systems are no longer blocked during a code signing operation while also allowing for controlled use of a particular code signing key.  

 

4.    User-based key/ certificate signing  

 
What Problem Does It Solve?  

Prior versions of CodeSign Protect supported code signing certificates that were issued to organizations to sign software packages, but did not support the concept of certificates issued to individuals such as scripts or source code check-ins that leveraged keys and certificates issued to the individual.  


 
How Does it Work?  
Organizations can now assign keys and certificates to specific individuals. These individuals can then sign assets in their own names, using with their individual keys and certificates. Individual users will be able to request user-based code signing certificates from within CodeSign Protect, as well as have the ability to request user-based GPG keys.  


 
What’s the Benefit?  
Increased security – for some assets, such as PowerShell scripts or source code, it is important to know which individual signed the asset. With this version of CodeSign Protect that is now possible.  

Additional CodeSign Protect Capabilities – See the technical release notes and upgrade considerations article for more detail on these capabilities as well as other new CodeSign Protect features.    

 

Ecosystem Partner Updates  

 
While separate from the Venafi 20.3 release, several Venafi Ecosystem Partners have recently introduced products and updates that might complement your current use of the Venafi Platform and products.  
 
These include:     

  • HashiCorp Terraform - Venafi is included in the Terraform Registry, which is the main directory of publicly available Terraform providers, and hosts providers for most major infrastructure platforms. See example usage for both Venafi Cloud and Trust Protection Platform. 
  • Venafi integrations with Jenkins  
    • Venafi Plugin for Jenkins - Venafi customers can use VCert to easily integrate Venafi TLS Protect and Venafi DevOps ACCELERATE with Jenkins CI managed pipelines in a standard way. 
    • Venafi CodeSign Protect Plugin for Jenkins - With this Plugin, Venafi CodeSign Protect becomes a closely integrated service in the software development tool chain to enable DevOps to go fast with Jenkins. 
  • Jamf Pro   
    Jamf Pro now integrates natively with the Venafi Platform for machine identity lifecycle operations, including certificate issuance, renewal, and revocation across enterprise Apple devices and multiple CAs, simplifying the configuration process for EMM/MDM teams, while allowing InfoSec to set and enforce consistent policy over machine identities 
  • Blue Prism and UI Path RPA Bots   
    To further eliminate time spent on repetitive tasks and increase speed of operations, Venafi customers can leverage RPA bots for machine identity management workflows from leading RPA solutions: BluePrism and UiPath platforms 

 

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more